The Rights Stuff

Novell Cool Solutions: Tip

How many of your users and objects have too many rights? And how would you go about finding out who and what they are?

A Forum reader recently commented:

"We have reason to consider that our eDirectory tree security was compromised by way of a key logger. What would be the best way to figure out objects that have "too much rights" in the tree? We have over 4000 student objects, and we don't want to have to check them all manually."

And a Forum expert responded:

The way I've done it in the past is to start with the objects that already have too many right (admin objects, server objects, that sort of thing) and look for security equivalencies and trustee rights that shouldn't be there. Then I'd go for the high-level O/OU objects and see what kind of trustee rights have been granted there as well.

If the high-level objects come back clean, then start working your way down the tree. You shouldn't have to go to each and every user object and see what rights that object has to the tree - that would take far too long. But you should have a lot fewer OU's and servers out there than Students. It's still a manual process, but at least it wouldn't take a month. For comparison, the BindView product has a useful "too many rights" filter included.

Start by looking at security equivalences to admin and other objects that have direct rights to [Root] and the O levels of the tree - and then work from there.